When people think of the AppSec event, I assume the first thing that comes to mind is just that: Application Security. Given the fact that Threat Stack is more widely known for helping organizations protect their cloud environments, you might well ask why we took part in a show that’s not strictly dedicated to infrastructure security.
Great question, but as you’ll see, the answer is rooted in a match up between a rapidly evolving technology landscape and Threat Stack’s core mission.
Seeing the Forest as Well as the Trees
In several of the formal presentations and in many of the conversations we had with people on the conference floor, we found that this year’s attendees were much less focused on a single discipline and were taking on a broader DevOps view of the world.
This echoes the transformation we’re seeing throughout the industry where more and more applications and environments are living outside the perimeter, and continuous development is reaching more teams.
Along with the DevOps approach that is becoming increasingly universal, especially in high-velocity environments, there’s also a growing sense of urgency about the need to integrate security into the software development process to ensure that reliable software is being released at speed and at scale. So we’re seeing a move away from a limited application- or product-centric world, and the adoption of a DevOps approach. In some cases, we’re also seeing the adoption of the even more encompassing SecOps (aka DevSecOps and sometimes SecDevOps) methodology.
Ensuring that software can be developed rapidly and securely — i.e., with no sacrifice in quality or slowdown in speed — is fundamental to Threat Stack’s mission, and to this end, we want to support a SecOps approach whenever and wherever we can. Hence our presence at AppSec and shows like it.
The Further Rise of IoT
Another interesting focus this year was IoT exploitation. With IoT comes significantly increased vulnerability (easy physical access to devices and more surfaces to attack) and, given the nature of the marketplace, there’s a tendency to rush to production with features first and security after, in many devices.
At Threat Stack, we regard this as a massive area where security needs to be integrated into the development lifecycle to ensure rapid, quality releases — or to look at it from another perspective — to reduce risk to users, risk to reputation, and costly retro-fixes.
Several talks on Docker indicate that a migration to microservices is in full swing. In my discussions, microservices are seeing a wider adoption, but it seems that they aren’t yet well understood. Securing these containerized installations presents an even larger challenge as many of the folks that we spoke with were still learning all the ways to make best use of these services first.
So again, we’re witnessing a rapid and significant shift, but it’s one where many of the players haven’t thought through or understood the security implications.
Spies Like Us
AppSec was held in the lovely Renaissance Washington DC Hotel. In addition to offering many information-rich and thought-provoking presentations and the opportunity to meet a lot of interesting people, it also entertained us with a great dinner, drinks, and tours of the awesome Spy Museum on Thursday night. For any fans of the show “The Americans,” or James Bond, this is the place for you!
It’s great to see more and more security finding its way into development at all levels. We found it particularly encouraging to see how many developers are coming to view security as part of everyone’s job, and are injecting themselves into the security of the entire stack.
AppSecUSA was a fantastic event, and Threat Stack was proud to be a part of it!